The Cybersecurity and Infrastructure Security Agency has added a recently patched high-severity vulnerability in SolarWinds Serv-U to its Known Exploited Vulnerabilities catalog, warning that hackers are actively exploiting it to crash servers. The flaw, tracked as CVE-2026-28318, stems from uncontrolled resource consumption and allows remote unauthenticated attackers to crash the Serv-U service using specially crafted POST requests with Content-Encoding: deflate. SolarWinds released Serv-U 15.5.4 Hotfix 1 on Thursday to patch the vulnerability, which requires no user interaction and low complexity to exploit.
CISA ordered Federal Civilian Executive Branch agencies to patch their servers by June 19 while urging all network defenders including the private sector to secure their networks against ongoing attacks. Shodan tracks over 12,000 exposed Serv-U servers online, though it is unclear how many have been patched. Administrators unable to deploy the patch immediately can limit access to known addresses and block any POST requests containing content-encoding, as the vulnerable Serv-U service does not require this functionality.
Multiple cybercrime and state-backed hacking groups have targeted Serv-U vulnerabilities in recent years, including the Clop ransomware gang exploiting CVE-2021-35211 and DEV-0322 Chinese hackers using the same flaw in zero-day attacks. In June 2024, GreyNoise and Rapid7 tagged a Serv-U path-traversal vulnerability as actively exploited. CISA has now flagged 11 vulnerabilities across various SolarWinds products as actively exploited in attacks over the past several years. The agency warns that this type of vulnerability poses significant risks to federal enterprise systems and is a frequent attack vector for malicious cyber actors.
Read more...